Skip to content

v1.0.0 — Phase 0 baseline

Choose a tag to compare

View all tags
@edwardsmit edwardsmit released this 20 May 06:54
· 6 commits to main since this release
v1.0.0
e37a791
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

First maintained release since 2014. Today's code with the minimum patches to be CVE-clean on the original install target (Node 0.10+).

Security

  • Reject deparam parameter keys equal to __proto__, constructor, or prototype (same shape as qs CVE-2017-1000048 / CVE-2022-24999).
  • New maxDepth parameter on deparam (default 5) caps nesting depth; parameters exceeding it are silently dropped.

Tooling

  • Consolidated LICENSE with full attribution to jQuery and jquery-bbq.
  • Added SECURITY.md, files allowlist, engines: ">=0.10".
  • CI matrix: full mocha on Node 18/20/22/24 via setup-node, Docker smoke on Node 0.10/0.12/4/6/8/10/12/14/16. Zero runtime CVEs.

Tests

  • Reference Conformance Spec (`test/conformance.spec.js`, 58 cases) pins the wire-format and security contract for all future modernization phases and any replacement library.

Install

```
npm install node-qs-serialization@1.0.0
```

Breaking change: callers passing prototype-polluting keys or relying on >5-deep nested parameters via `deparam` will see those values silently dropped. Both behaviors are pinned by the conformance spec.

Assets 2
Loading